The network design can be seen as a spoke type configuration (as Jeff
Burgess notes):
lanA --- routerA ----- routerZ (virtual circuit A)
lanB --- routerB ----- routerZ (virtual circuit B)
...
there are times where a server on lanA has a client on lanB and this server
has to be physically on lanA
I was wondering if this configuration could be done:
lanA --- routerA ----- routerZ (virtual circuit A) ---- lanZ
lanB --- routerB ----- routerZ (virtual circuit B) ---- lanZ
....
where lan Z would be:
routerZ ---- firewallZ ---- routerZ
and the firewall would secure all the traffic from one site to another
(router Z would have an "in" port that directs all the traffic from the lans
(A,B,...) to lanZ and an "out" port that "knows" the routes to the different
lans)
if I understand Robert Bonomi correctly (?) the kind of network design that
I am thinking of is what he suggested.
The head office would then receive from the different sites (A,B,..) their
security requirements (example: server on lan A can accept telnet
connections from user1 and user2 from lan B and C respectively after
authentification) and make a rule on firewallZ.
Right now the bandwith requirements are limited (some sites have direct
connections to other sites but these will be taken out when the new network
design will be in place), but I know it wont take long...
If we can manage with one firewall, can all of them do this kind of stuff ?
I have read a user manual of one of them and nowhere is such a design
explained. What is explained would be
lanA --- firewallA --- routerA ----- routerZ
lanB --- firewallB --- routerB ----- routerZ
But that would mean 200 firewalls ! :(
Without going into a sales war, do any of you have this kind of
configuration ?
-----Original Message-----
From: Burgess, Jeff <[EMAIL PROTECTED]>
To: 'Jean-PierreCordeau' <[EMAIL PROTECTED]>
Date: 7 juillet, 1999 11:33
Subject: RE: firewalls between two routers
>
> Jean,
> I'm assuming your "central office is connected to the 200 satellites in
a
>"spoke" type configuration (*Imagine a wagon wheel without the outer rim*).
>So you have 1 router at the CO and individual routers at each of the
>satellites.
>
> If this is correct, let's make the "central office" 'Z' and office 1, 2,
>and 3 A, B, and C
>
> Does office A ever talk to C, or C ever talk to B, or do they all only
>talk to Z???
>
>
>
>-----Original Message-----
>From: Jean-PierreCordeau [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, July 07, 1999 8:52 AM
>To: firewallmain
>Subject: firewalls between two routers
>
>
>Wondering if firewalls could work in our special topology:
>here are the constraints & info:
>
>* We have a large private network where all PVCs point to the same "head
>office" if you want (the underlying ATM network is run by a telco)
>* all the local networks of every physical site are given a subnet of a
>class A 10.x.x.x adress space
>* by default the routers that constitute the VPN do not have access-lists
or
>security (and possibly will not be able to - due to the telco)
>* We would like to consider managing the inter-site (i.e. the communication
>needs between various local networks) security in a centralized manner
>* The risk associated with a inter-site "leak" is not great since the data
>stored in the sites is not that confidential but:
>* For legal reasons, the sites are responsible for there own data and would
>like some kind of say as to whom enters their network
>
>* It is possible for us to get all the inter-site trafic re-routed to the
>lan of the "head office" (by default the inter-site traffic never goes on
>the
>head office lan but is routed without security within the routers)
>
>I have read a bit in this mailing list and gone searching (at the corporate
>firewall sites) for a while, all I have read about firewalls is for
securing
>a local network from a distant network (or parts of a local network). In
>our situation it would be allowing only part of a wan to communicate with
>another part of a wan.
>
>I know a simple but $$$ solution would be to put as many firewalls as there
>are sites (between the wan link and the local nets). Is there a less
>painful alternative ?
>
>In the beginning, we would be looking at a "network layer" solution (even
>though less secure) since there are 200 sites and I would not want too many
>specific rules to completely slow down the link to our "head office".
>
>Could a firewall be used in such a situation ? (or am I completely on the
>wrong track ?)
>Any suggestions ?
>
>Thanks for any help or insight.
>
>Jean-Pierre Cordeau
>[EMAIL PROTECTED]
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
